Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the December edition of their Monthly Monitor and two new Advisories for control system vulnerabilities affecting WellinTech’s KingView and 7-Technologies IGSS SCADA systems.
ICS-CERT continues to produce a brief but valuable monthly newsletter that should be widely read in the control system community. The latest issue contains:
• A neat new logo (okay that’s not so important, but it is good graphics design);
• Another overview of the ‘Water System Hack’;
• A good summary of generic malware analysis and mitigation techniques;
• A summary of the ‘latest’ Gleg Agora SCADA release (probably more appropriate here than as an alert)
• A lengthier listing of control system security articles and blog posts (including one by SCADAHacker, a nice response to my comment last month about the lack of bloggers); and
• Their standard listing of Alerts and Advisories and plug for Coordinated Vulnerability Disclosure
This Advisory describes a heap based buffer overflow vulnerability reported by Luigi through ZDI (so it was coordinated) in the WellinTech KingView system. It appears to be a common remotely exploitable vulnerability that allows execution of arbitrary code by an attacker with an intermediate skill level. WellinTech has a patch available. The CVE number provided in the Advisory is not yet active.
Two interesting things here. First ICS-CERT includes a link to the Chinese language instructions for the patch in addition to the English language instructions (multiculturalism at its best). More importantly the Advisory notes that there are no known exploits available. Luigi typically develops and publishes exploit code, though I can’t find a reference to this vulnerability on his web page. Since this is part of the ZDI project I wonder if he provided them with the code and they just haven’t released it.
7-Technologies seems to be catching it this week. Earlier there was an advisory for their data server and yesterday a new advisory for similar buffer overflow vulnerability discovered by a separate researcher Celil Unuver (SignalSEC LLC). It appears that the same product update will solve both problems. The CVE file on this vulnerability is also not yet active.